DEV Community: Amogh Deshpande

Performance Analysis of Full-Stack (Java + Angular) Application on Amazon EKS with Async-Profiler

Amogh Deshpande — Sun, 18 May 2025 13:59:17 +0000

Table of Contents -

Key Challenges in full stack application Performance
Need of Async-Profiler
Introduction
Steps to follow to analyze full stack application

• Environment Setup
• Application Containerization
• Performance Monitoring Setup
• Data Collection and Analysis
• Visualization and Monitoring
• Optimization Process
• Cleanup
Summary
Conclusion

Key Challenges in full stack application Performance –

Java-Specific Challenges
• Cold-start latency in Java containers due to JVM warmup.
• Asset loading delays in Angular containers.
• Safepoint bias in traditional Java profilers.
Angular-Specific Challenges
• Angular Frontend Performance Degradation - poorly optimized Angular apps cause excessive change detection cycles & Slow First Contentful Paint (FCP).
• API call inefficiencies - Unoptimized HTTP requests create backend pressure.
EKS Operational Challenges
• Scaling Inefficiencies on EKS - Uneven pod resource usage leads to Over-provisioning & Under-provisioning (app throttling).
• Network Latency between Frontend & Backend.
• Lack of End-to-End Visibility.
• Production Debugging Complexity.

Need of Async-Profiler –

Async-Profiler addresses critical Java profiling limitations:
1) 1% overhead enables production-safe continuous profiling.
2) Safepoint-free sampling captures accurate execution traces.
3) Multi-event profiling (CPU, memory, locks) in single tool.

Introduction –

Async-Profiler excels at diagnosing JVM bottlenecks, browser tools reveal frontend issues like slow rendering or excessive API calls.

Analyzing the performance of a full-stack application (Java and Angular) running on Amazon EKS requires a combined approach, as async-profiler is primarily focused on the Java backend.

Async-Profiler is a low-overhead sampling profiler for Java applications running on the HotSpot JVM. For the Angular frontend, you’ll primarily rely on browser developer tools and potentially some Angular-specific profiling techniques.

Container startup performance presents a significant challenge for Java-angular applications running on Kubernetes, particularly during scaling events and recovery scenarios.

Application Architecture

Performance profiling in containerized Java applications has long presented significant challenges. Async-profiler, a lightweight sampling solution that offers an interesting approach for Java workloads running on Amazon Elastic Kubernetes Service (Amazon EKS). Eliminating traditional Safepoint bias issues enables more accurate performance analysis.

Steps to follow to analyze full stack application –

1. Environment Setup

Prerequisites -

1) AWS Account with EKS access
2) Java 21 Spring Boot backend application
3) Angular frontend application
4) AWS Cloud-Shell for environment bootstrapping
5) Amazon EKS cluster
6) Initial Setup Steps

1) Deploy Infrastructure:

Using eksctl to create EKS cluster
eksctl create cluster — name full-stack-cluster — region your-region

2) Configure Container Registry:

1) Create repositories in Amazon ECR for both frontend and backend images
2) Push your container images to ECR

2. Application Containerization

Backend (Java) Containerization

FROM openjdk:21-jdk AS builder
WORKDIR /app
COPY . /app
RUN ./mvnw clean package
FROM openjdk:21-jre
RUN apt-get update && apt-get install -y async-profiler
COPY — from=builder /app/target/app.jar /app/app.jar
ENTRYPOINT [“java”, “-agentpath:/async-profiler/libasyncProfiler.so=start,event=cpu,file=/tmp/profile.html”, “-jar”, “/app/app.jar”]

Frontend (Angular) Containerization

FROM node:latest AS builder
WORKDIR /app
COPY . .
RUN npm install
RUN npm run build — prod
FROM nginx:alpine
COPY — from=builder /app/dist/* /usr/share/nginx/html/

3. Performance Monitoring Setup

Backend Profiling
1) Configure Async-Profiler

deployment.yaml
spec:
containers:
— name: backend
env:
— name: JAVA_TOOL_OPTIONS
value: “-agentpath:/async-profiler/libasyncProfiler.so=start,event=cpu,file=/tmp/profile.html”

2) Enable Continuous Profiling

volumeMounts:
— name: profiles
mountPath: /tmp/profiles
volumes:
— name: profiles
persistentVolumeClaim:
claimName: s3-profile-storage

Continuous profiling results on Amazon S3

Continuous Profiling graph

Frontend Monitoring
1) Install Angular DevTools

Add Chrome DevTools extension for Angular performance monitoring
Enable performance tracking in your Angular application:

// main.ts
if (environment.production) {
enableProdMode();
if (window) {
window.console.log = () => {};
}
}

4. Data Collection and Analysis

Backend Performance Analysis
1) CPU Profiling:

Access the pod
kubectl exec -it — /bin/bash

Start profiling
jcmd 1 AsyncProfiler:start,event=cpu,file=/tmp/cpu-profile.html

2) Memory Analysis:

Heap allocation profiling
jcmd 1 AsyncProfiler:start,event=alloc,file=/tmp/heap-profile.html

Frontend Performance Analysis
1) Use Chrome Dev-Tools:

1) Open Chrome Dev-Tools (F12)
2) Navigate to Performance tab
3) Record page load and user interactions

2) Angular-Specific Metrics:

1) Monitor change detection cycles
2) Track component render times
3) Analyze bundle sizes

5. Visualization and Monitoring

Integrated Monitoring Setup
1) Configure Grafana Dashboard:

grafana-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
spec:
template:
spec:
containers:
— name: grafana
image: grafana/grafana

2) Set up Prometheus:
1) Deploy Prometheus for metrics collection
2) Configure scrape targets for both frontend and backend

Performance Data Visualization
1) Create Custom Dashboards:

1) Backend metrics (response times, CPU usage)
2) Frontend metrics (page load times, component performance)
3) End-to-end transaction traces

6. Optimization Process

1) Analyze Bottlenecks:

1) Review Flame Graphs from Async-Profiler
2) Check Angular Dev-Tools reports
3) Examine end-to-end transaction traces

2) Implement Improvements:

1) Optimize database queries
2) Implement caching where appropriate
3) Reduce bundle sizes
4) Optimize Angular change detection

3) Verify Improvements:

1) Re-run profiling after changes
2) Compare before/after metrics
3) Monitor user experience metrics

7. Cleanup

Remove profiling data
kubectl exec -it — rm /tmp/profile.html

Delete monitoring resources
kubectl delete -f grafana-deployment.yaml
kubectl delete -f prometheus-deployment.yaml

Delete EKS cluster
eksctl delete cluster — name full-stack-cluster

Summary –

Conclusion –

Async-Profiler is a powerful tool for profiling Java applications, identifying performance bottlenecks such as high CPU usage, memory leaks, and inefficient thread execution.
For Angular, browser-based profiling tools like Chrome Dev-Tools help uncover slow rendering, excessive API calls, and unnecessary change detection cycles.
By combining Async-Profiler, Angular debugging techniques, and AWS observability tools, teams can proactively improve performance, reduce latency, and optimize cloud resources for a smoother user experience.
Automating profiling and integrating it into CI/CD pipelines ensures ongoing performance health and early detection of regressions.
The choice between on-demand profiling and continuous profiling depends on your goals -
1) Use on-demand profiling during development, testing, or when debugging known issues.
2) Use continuous profiling in production for proactive performance management, especially in complex or high-traffic systems.

AWS Security Best Practices for Enterprise Java & Angular Applications

Amogh Deshpande — Sat, 03 May 2025 05:48:10 +0000

Table of Contents -

Introduction
Why Security is Essential in Cloud-Based Java & Angular Applications
AWS Security Best Practices

• Identity and Access Management (IAM) with Least Privilege
• Network Segmentation and VPC Best Practices
• Data Encryption: At-Rest and In-Transit
• Secure Application Secrets Management
• Protecting the Application Layer
• Monitoring, Logging, and Automated Security Auditing
• DDoS Protection and Web Application Firewall (WAF)
• Compliance and Auditing
• Periodic Penetration Testing
Advantages of AWS Security
Disadvantages of AWS Security
Summary
Conclusion

Introduction -

When building a large-scale Java and Angular application on AWS, we must consider security at every layer from the underlying AWS infrastructure to the application code.

Critical Insight: 63% of cloud breaches originate from misconfigured IAM roles and exposed storage (2023 AWS Security Report).

Why Security is Essential in Cloud-Based Java & Angular Applications -

Security isn't a feature—it's the foundation. In cloud-native applications, every line of Java and Angular code must be written through a security lens.

Security is critical for enterprise Java and Angular applications on AWS due to the increased threat surface, regulatory compliance requirements, and AWS’s shared responsibility model. While AWS provides powerful built-in tools for identity management, encryption, monitoring, and compliance, it’s still our responsibility to configure and manage them securely.

The Shared Responsibility Model
When deploying Java + Angular applications on AWS, security spans:
✅ AWS Infrastructure Security (VPC, IAM, WAF)
✅ Application Layer Security (Spring Boot, Angular Guards)
✅ Data Protection (Encryption, Secrets)
✅ Operational Resilience (Monitoring, Auto-Remediation)

AWS Organization structure

High Level Architecture

AWS Security Best Practices -

1. Identity and Access Management (IAM) with Least Privilege
Best Practice: Adopt a strict least privilege approach with our IAM policies. Assign users, roles, and services only the permissions they require, and enforce role-based access control (RBAC).

IAM Security Model

Service Account for Java & Angular Apps:
When running Java backend services (EC2, ECS, Lambda) or frontend deployments (S3, CloudFront), avoid using root credentials. Instead:
1) Use IAM Roles for AWS Services
• Assign IAM roles to EC2 instances (via instance profiles) or Lambda functions instead of hardcoding credentials.
• Example: A Java microservice running on EC2 should have a role allowing only DynamoDB read/write access, not full admin rights.

2) AWS Secrets Manager for Java Backend
• Store database passwords, API keys, and third-party credentials in AWS Secrets Manager.
• Retrieve them programmatically in Java using the AWS SDK:

3) Angular Frontend & Secure API Access
• Never store AWS credentials in Angular (client-side code is exposed).
• Instead, use Amazon Cognito for user authentication and IAM roles for backend API access.
• Configure CORS policies in API Gateway to restrict frontend access.
4) Temporary Credentials for CI/CD Pipelines
• Use AWS STS (Security Token Service) with AssumeRole for CI/CD deployments (e.g., GitHub Actions, CodePipeline).
• Example GitHub Actions IAM role assumption:

Examples:
Do not use root credentials for everyday tasks. Instead, create IAM roles for our services (e.g., EC2, Lambda) and assign specific policies.

Policy Example:

Real-Time Scenario: In a large-scale environment, our Java backend might run on an EC2 fleet or containers in ECS/EKS. By assigning each instance a dedicated IAM role with specific S3 and database access policies, we can reduce the attack surface and prevent over-privileged access that can lead to data breaches.

2. Network Segmentation and VPC Best Practices
Best Practice: Use Amazon Virtual Private Cloud (VPC) to isolate our application components, establishing layers of security through private subnets, security groups, and network ACLs.

Network Security & VPC Architecture

Examples:
Segregate resources:
• Place our backend services (Java APIs, databases) inside private subnets.
• Expose only the Angular front-end (via a load balancer or API Gateway) in public subnets.

Security Group Rules:
Example: Allow HTTP/HTTPS traffic only from our load balancer

Real-Time Scenario: A highly trafficked e-commerce application could reside in a multi-tiered VPC where the Angular application is served via a CDN and routed through an Application Load Balancer. The backend Java services reside in isolated private subnets, ensuring that even if the frontend is compromised, critical data remains inaccessible from the internet.

3. Data Encryption: At-Rest and In-Transit
Best Practice: Encrypt sensitive data both at-rest and in-transit. Use AWS Key Management Service (KMS) to manage encryption keys, and ensure our applications use HTTPS/TLS for secure data transmission.

Data Protection & Encryption

Java Backend Implementation

Angular-Specific Protections
• Enforce HTTPS via nginx.conf

• Use Angular's @angular/common/http with interceptors for JWT encryption

Examples:
At-Rest Encryption:
• Enable EBS volume encryption for EC2 instances.
• Use S3 bucket policies to enforce encryption (SSE-S3 or SSE-KMS).

In-Transit Encryption:
• Configure our API endpoints to use HTTPS.
• For the Angular front-end, enforce HTTPS and secure cookie flags.

Real-Time Scenario: Whether our Java backend handles payment transactions or personal data, encryption ensures that even if an attacker intercepts the data or gains access to the storage layer, the information remains unreadable without the proper keys.

4. Secure Application Secrets Management
Best Practice: Avoid embedding sensitive credentials directly in our code. Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely manage and rotate secrets.

Secrets Management Architecture

Examples:
Using AWS Secrets Manager in Java:

Frontend Secret Handling
• Store API keys in AWS Systems Manager Parameter Store
• Inject during CI/CD via CodeBuild environment variables

Real-Time Scenario: The backend uses secrets stored in AWS Secrets Manager to access databases and third-party services. Automated secret rotation reduces the risk of credential leakage over time. In our Angular front-end, we may only need to interact with authentication tokens, while the heavy lifting happens on the backend.

5. Protecting the Application Layer
Best Practice: Harden both the Angular and Java layers with appropriate application security measures.

Angular-Specific Tips:
• Use Angular’s built-in XSS protection mechanisms and Content Security Policies.
• Sanitize inputs and validate data on the client side.
• Implement proper CORS policies on our backend to restrict origins that can communicate with our API.

Example
• CSP: meta http-equiv="Content-Security-Policy" in index.html
• XSS Protection:

• Route Guards: AuthGuard with JWT validation

Java-Specific Tips:
• Implement robust authentication and authorization, for instance using Spring Security.
• Validate all inputs and leverage frameworks that protect against SQL injection, CSRF, and other common vulnerabilities.
• Consider using API Gateway with custom authorizers when exposing our Java services.

Application Security Controls

Real-Time Scenario: A corporate dashboard that integrates sensitive financial data requires both a secure front-end and a hardened Java API. By ensuring that Angular sanitizes user inputs and that Java backends enforce strict authentication using OAuth/JWT tokens (possibly managed with AWS Cognito), we can create a multi-layered security posture that minimizes risk of common web vulnerabilities.

6. Monitoring, Logging, and Automated Security Auditing
Best Practice: Continuously monitor and log all activities using AWS CloudTrail, Amazon CloudWatch, and AWS Config. Establish an incident response process to handle suspicious activity.

Monitoring & Logging Architecture

Examples:
CloudTrail: Enable CloudTrail logging to capture API calls and changes across our account.
CloudWatch Alarms: Set up alarms on unusual activities like failed login attempts or unusual API call patterns.

Real-Time Scenario: In a large-scale application, our AWS environment’s complexity increases the risk of subtle misconfigurations. With tools like AWS GuardDuty and AWS Config Rules integrated into our CI/CD pipeline, we can detect and remediate vulnerabilities before they are exploited.

7. DDoS Protection and Web Application Firewall (WAF)
Best Practice: Use AWS Shield (Standard or Advanced) and AWS WAF to protect applications against Distributed Denial of Service (DDoS) attacks and common web exploits.

DDoS Protection & Web Application Firewall

Examples:
AWS WAF: Configure rules to filter out malicious requests based on IP reputation, SQL injection, or cross-site scripting patterns.

Integration Sample: When using an Application Load Balancer:
• Attach AWS WAF to the load balancer.
• Use preconfigured managed rule sets provided by AWS or third-party vendors.

Critical Scans
• Java: OWASP Dependency-Check + Snyk
• Angular: npm audit + CSP validator
• Infrastructure: cfn-nag for CloudFormation templates

Real-Time Scenario: For applications that receive high levels of web traffic such as popular online services the combination of Shield and WAF ensures that a sudden spike in traffic doesn’t compromise application availability or lead to data exfiltration by blocking malicious actors in real time.

8. Compliance and Auditing: Regularly run compliance checks using AWS Config and third-party tools to ensure our environment adheres to standards like PCI-DSS, HIPAA, or GDPR.

Security Testing & Compliance Framework

9. Periodic Penetration Testing: Incorporate regular security assessments and penetration testing exercises to identify and remediate vulnerabilities proactively.

Penetration Testing Toolkit
• Backend: OWASP ZAP + Burp Suite
• Frontend: AuthMatrix + Postman security scans
• Infrastructure: Prowler + ScoutSuite

Advantages of AWS Security -

• Fine-grained IAM and role-based access.
• Built-in encryption and key management.
• Scalable threat detection and monitoring (CloudTrail, GuardDuty).
• Compliance-ready infrastructure (SOC 2, HIPAA, PCI-DSS).

Disadvantages of AWS Security -

• Misconfigurations can lead to major vulnerabilities.
• Steep learning curve for managing security tools.
• Tool fragmentation and integration overhead.
• Additional cost for advanced services (e.g., Shield Advanced, Macie).

Summary –

Defense in Depth Summary

Conclusion -

• Never trust user input: Validate on both Angular and Java layers
• Assume breach: Implement zero-trust network segmentation
• Automate security: Embed scans in CI/CD pipelines
• Monitor exhaustively: Unified logs with CloudWatch + X-Ray

👉 By applying these practices, your application is not only secure and compliant—but also resilient, scalable, and trusted by users.